Since Kin is an offline-first app where user data stays on-device, maintaining trust and data integrity is a top priority.
This document outlines how to report security vulnerabilities and how they are handled.
If you discover a security issue, please report it using GitHub Security Advisories only.
- Open a private report through GitHub’s security advisory feature
- Do not open public issues for security vulnerabilities
Please include:
- A clear description of the issue
- Steps to reproduce
- A Proof of Concept (if possible)
- Any relevant code, logs, or configuration
Reports without sufficient detail may not be actionable.
We do not accept security reports that are purely generated by AI.
Reports may be considered if they include:
- Human verification
- A valid Proof of Concept
- Clear reproduction steps
- Realistic impact
Low-quality or AI-only reports will be closed.
Only the latest release is supported.
Please make sure you are using the most recent version of Kin before reporting a vulnerability.
We follow a private disclosure process:
- Vulnerabilities must be reported privately via GitHub Security Advisories
- Do not disclose issues publicly until they are addressed
We will:
- Investigate and validate the report
- Work on a fix as quickly as possible
- Release a patch before public disclosure
When a valid report is submitted, we will:
- Investigate and confirm the issue
- Develop a fix
- Release the fix
- Disclose the vulnerability responsibly (if applicable)
Keep reports focused and reproducible. Clear, minimal examples help us resolve issues faster.
Thanks for helping keep Kin secure! ❤️